[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] Allow more clock skew from unrecognized hosts than from rec...

To: or-cvs@freehaven.net
Subject: [or-cvs] Allow more clock skew from unrecognized hosts than from rec...
From: nickm@seul.org (Nick Mathewson)
Date: Sun, 14 Nov 2004 17:08:28 -0500 (EST)
Delivered-to: archiver@seul.org
Delivered-to: or-cvs-outgoing@seul.org
Delivered-to: or-cvs@seul.org
Delivery-date: Sun, 14 Nov 2004 17:08:59 -0500
Reply-to: or-dev@freehaven.net
Sender: owner-or-cvs@freehaven.net

Update of /home/or/cvsroot/tor/src/or
In directory moria.mit.edu:/tmp/cvs-serv17653/src/or

Modified Files:
	connection_or.c 
Log Message:
Allow more clock skew from unrecognized hosts than from recognized ones.

Index: connection_or.c
===================================================================
RCS file: /home/or/cvsroot/tor/src/or/connection_or.c,v
retrieving revision 1.139
retrieving revision 1.140
diff -u -d -r1.139 -r1.140
--- connection_or.c	13 Nov 2004 23:34:01 -0000	1.139
+++ connection_or.c	14 Nov 2004 22:08:25 -0000	1.140
@@ -12,6 +12,13 @@
 
 #include "or.h"
 
+/** How much clock skew do we tolerate when checking certificates for
+ * known routers? (sec) */
+#define TIGHT_CERT_ALLOW_SKEW (90*60)
+/** How much clock skew do we tolerate when checking certificates for
+ * unknown routers/clients? (sec) */
+#define LOOSE_CERT_ALLOW_SKEW (24*60*60)
+
 static int connection_tls_finish_handshake(connection_t *conn);
 static int connection_or_process_cells_from_inbuf(connection_t *conn);
 
@@ -362,6 +369,11 @@
            nickname, conn->address, conn->port);
     return -1;
   }
+  if(tor_tls_check_lifetime(conn->tls, LOOSE_CERT_ALLOW_SKEW)<0) {
+    log_fn(LOG_WARN,"Other side '%s' (%s:%d) has a very highly skewed clock, or an expired certificate. Closing.",
+           nickname, conn->address, conn->port);
+    return -1;
+  }
   log_fn(LOG_DEBUG,"The router's cert is valid.");
   crypto_pk_get_digest(identity_rcvd, digest_rcvd);
 
@@ -379,6 +391,14 @@
     log_fn(LOG_WARN, "Identity key not as expected for %s", nickname);
     return -1;
   }
+  if (router_get_by_digest(digest_rcvd)) {
+    /* This is a known router; don't cut it slack with its clock skew. */
+    if(tor_tls_check_lifetime(conn->tls, TIGHT_CERT_ALLOW_SKEW)<0) {
+      log_fn(LOG_WARN,"Router '%s' (%s:%d) has a skewed clock, or an expired certificate. Closing.",
+             nickname, conn->address, conn->port);
+      return -1;
+    }
+  }
 
   if (connection_or_nonopen_was_started_here(conn)) {
     /* I initiated this connection. */

Prev by Author: [or-cvs] Allow more clock skew from unrecognized hosts than from rec...
Next by Author: [or-cvs] Resolve some hibernating-related XXXX009s.
Previous by thread: [or-cvs] Allow more clock skew from unrecognized hosts than from rec...
Next by thread: [or-cvs] Resolve some hibernating-related XXXX009s.
Index(es):
- Author
- Thread